A Short History of HIPAA Privacy & Security
In 1996 when HIPAA was first enacted into law we are quite certain that it was viewed as somewhat of a regulatory oddity. It was the first time that protected health information ("PHI") had been regulated under federal law in any significant way. The Privacy & Security Rules, other than the changes introduced by the HITECH Act, were largely as they exist in current form. Of course back then the healthcare industry was still using 19th century administrative procedures (e.g. electronic health records were not yet a glimmer in a Chief Medical Officer's eye) and so the Security Rule, which dealt exclusively with ePHI, could mostly be ignored.
Even back then there was no hurry to move forward with Privacy & Security regulations. The implementation date of the HIPAA Privacy Rule was April 14, 2003. The implementation date for the HIPAA Security Rule was April 20, 2005. The "big push" back then was standardization of certain financial transactions used for billing. It's almost as if Privacy & Security were an "oh by the way" we probably should include some Privacy & Security regulations in HIPAA in order to keep the "tree huggers" happy. Of course, the actual legislative history was likely not portrayed in such a cynical manner, and for all we know, the intention of the legislators could have been quite serious. BUT HIPAA's impact, from a Privacy & Security perspective was negligible to non-existent, when first promulgated in !996. Sure everyone complied with the Privacy Rule's Notice of Privacy Practices and not much else. The dirty little secret, that almost everyone in the healthcare industry knew, was that HIPAA was a paper tiger. In legal terms a "dead letter;" a law in name only but otherwise completely unenforced.
The HITECH Act: a Game Changer?
The HITECH Act changed all that; well at least it purported to do so. HHS still "slow walked" the corresponding regulations and, despite all the fanfare, six years out the majority of the healthcare industry has still not gotten the message: the HIPAA status quo has been changed forever. Well to be fair, the industry has gotten the message, but has failed en masse to act on it. The difference is that the HITECH Act's 800 pound gorilla (AKA Breach Notification) is now the elephant in the room that refuses to be ignored. Breach Notification is forcing the healthcare industry to pay attention because it has become an inescapable legal reality. If you have a major breach, or even a minor one, it is going to cost you a ton of money to respond to it. It could easily damage your reputation in a significant way, and otherwise ruin your day.
It remains somewhat unclear why the industry has been so slow to respond to such a real threat, but we can posit a few reasons: (1) part of the industry wants to continue to ignore HIPAA because it remains this "red headed step child" mostly unwelcome in C-suites and boardrooms, especially those of small players (of which there are thousands); (2) the industry has its collective "hair on fire" with EHRs, the ACA (e.g. pay-for-performance), ICD-10, mobile, social media, the cloud, etc. etc.; and (3) to actually comply with the HIPAA rules requires rethinking a organization's approach to compliance (i.e. from a necessary evil to part of its organizational DNA). In other words change is hard, and healthcare is undergoing 150 years of change in five.
We have been somewhat critical of HHS because it has not helped move the process forward. It has "coddled" the industry by developing "tools" that purportedly make it easier to perform a Risk Assessment, when the latter is a completely non-trivial exercise that is NEVER going to be easy. Second, HHS' cost of implementation data is misleading. It has been forced to completely understate what it takes to comply with the Rules. Part of this political "magic" in these low cost estimates is that HHS wrongfully assumed that organizations were already in compliance with the Rules since they had been promulgated years ago. Of course, HHS knew full well that this was not the case. It knew that prior to the HITECH Act HIPAA was a paper tiger. It also knew that any semblance of realistic cost estimates were politically untenable. It's the fox telling the chickens that "protecting the hen house won't set you back that much!"
It's Not Your Daddy's HIPAA Anymore!
The healthcare industry has witnessed it's fair share of data breaches in the last few years including: Tricare (4.9M in 2011); Complete Health Systems (4.5M 2014); and Advocate Health (4.03M in 2013). This year we also witnessed a purported cyber attack from China against Community Health Systems. In short, there was simply no end to the increasing awareness among healthcare professionals that their information systems were not just vulnerable but increasingly so. High profile industry CIO's called for a change in thinking regarding responding to cyber threats. Perimeter defenses all seemed permeable and the thinking changed in some circles from preventing intrusions to assuming intrusions will happen and strengthening secondary defenses. Secondary defenses include the obvious (encryption) and the less obvious, organization wide policies against storing PHI on local devices and two factor authentication.